Issue 1727 - Prevent circumvention via WebSocket

include.preload.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-2016 Eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with Adblock Plus.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 var MutationObserver = window.MutationObserver || window.WebKitMutationObserver;
 var SELECTOR_GROUP_SIZE = 200;
+var id = Math.random().toString(36).substr(2);
 
 var typeMap = {
   "img": "IMAGE",
   "input": "IMAGE",
   "picture": "IMAGE",
   "audio": "MEDIA",
   "video": "MEDIA",
   "frame": "SUBDOCUMENT",
   "iframe": "SUBDOCUMENT",
   "object": "OBJECT",
@@ skipping 312 matching lines @@
   var observer = new MutationObserver(function()
   {
     if (style.parentNode != parentNode)
       parentNode.appendChild(style);
   });
 
   observer.observe(parentNode, {childList: true});
   return observer;
 }
 
-function protectStyleSheet(document, style)
-{
-  var id = Math.random().toString(36).substr(2);
-  style.id = id;
-
-  var code = [
-    "(function()",
-    "{",
-    '  var style = document.getElementById("' + id + '") ||',
-    '              document.documentElement.shadowRoot.getElementById("' + id + '");',
-    '  style.removeAttribute("id");'
-  ];
-
-  var disableables = ["style", "style.sheet"];
-  for (var i = 0; i < disableables.length; i++)
-  {
-    code.push("  Object.defineProperty(" + disableables[i] + ', "disabled", '
-                                         + "{value: false, enumerable: true});");
-  }
-
-  var methods = ["deleteRule", "removeRule"];
-  for (var j = 0; j < methods.length; j++)
-  {
-    var method = methods[j];
-    if (method in CSSStyleSheet.prototype)
-    {
-      var origin = "CSSStyleSheet.prototype." + method;
-      code.push("  var " + method + " = " + origin + ";",
-                "  " + origin + " = function(index)",
-                "  {",
-                "    if (this != style.sheet)",
-                "      " + method + ".call(this, index);",
-                "  }");
-    }
-  }
-
-  code.push("})();");
-
+function runInPage(fn, arg)
+{
   var script = document.createElement("script");
+  script.type = "application/javascript";
   script.async = false;
-  script.textContent = code.join("\n");
+  script.textContent = "(" + fn + ")(" + JSON.stringify(arg) + ");";
   document.documentElement.appendChild(script);
   document.documentElement.removeChild(script);
 }
 
+function protectStyleSheet(document, style)
+{
+  style.id = id;
+
+  runInPage(function(id)
+  {
+    var style = document.getElementById(id) ||
+                document.documentElement.shadowRoot.getElementById(id);
+    style.removeAttribute("id");
+
+    var disableables = [style, style.sheet];
+    for (var i = 0; i < disableables.length; i++)
+      Object.defineProperty(disableables[i], "disabled",
+                            {value: false, enumerable: true});
+
+    ["deleteRule", "removeRule"].forEach(function(method)
+    {
+      var original = CSSStyleSheet.prototype[method];
+      CSSStyleSheet.prototype[method] = function(index)
+      {
+        if (this != style.sheet)
+          original.call(this, index);
+      };
+    });
+  }, id);
+}
+
 // Neither Chrome[1] nor Safari allow us to intercept WebSockets, and therefore
 // some ad networks are misusing them as a way to serve adverts and circumvent
-// us. As a workaround we wrap WebSocket, closing connections that would have
-// otherwise been blocked.
+// us. As a workaround we wrap WebSocket, preventing blocked WebSocket
+// connections from being opened.
 // [1] - https://bugs.chromium.org/p/chromium/issues/detail?id=129353
 function wrapWebSocket()
 {
   if (typeof WebSocket == "undefined")
     return;
 
-  var eventName = "abpws-" + Math.random().toString().substr(2);
+  var eventName = "abpws-" + id;
 
   document.addEventListener(eventName, function(event)
   {
     ext.backgroundPage.sendMessage({
       type: "websocket-request",
       url: event.detail.url
     }, function (block)
     {
       document.dispatchEvent(
         new CustomEvent(eventName + "-" + event.detail.url, {detail: block})
       );
     });
   });
 
-  function wrapper(eventName)
-  {
-    var originalWebSocket = WebSocket;
-    var readyStates = {
-      CLOSED: {value: 3, enumerable: true},
-      CLOSING: {value: 2, enumerable: true},
-      OPEN: {value: 1, enumerable: true},
-      CONNECTING: {value: 0, enumerable: true}
-    };
-
-    WebSocket = function(url, protocol)
-    {
-      var websocket = new originalWebSocket(url, protocol);
-      var properties = Object.create(null);
-
-      function getSet(key)
-      {
-        return {get: function() { return websocket[key]; },
-                set: function(value) { return websocket[key] = value; },
-                enumerable: true};
-      }
-      function funcWrap(key)
-      {
-        return {value: function() { websocket[key].apply(websocket, arguments); },
-                enumerable: true};
-      }
-
-      var key;
-      for (key of ["close", "send", "addEventListener", "removeEventListener"])

[Sebastian Noack, 2016/06/28 16:17:51]

Is this script processed with jsHydra? It seems not. Otherwise, this won't work
on old browser versions.

[kzar, 2016/06/29 13:40:30]

Acknowledged.

-        properties[key] = funcWrap(key);
-      for (key of ["url", "protocol", "readyState", "extensions", "bufferedAmount",
-                   "binaryType", "onopen", "onclose", "onerror", "onmessage"])
-        properties[key] = getSet(key);
-
-      Object.defineProperties(this, properties);
-
+  runInPage(function(eventName)
+  {
+    // As far as possible we must track everything we use that could be
+    // sabotaged by the website later in order to circumvent us.
+    var RealWebSocket = WebSocket;
+    var closeWebSocket = Function.prototype.call.bind(RealWebSocket.prototype.close);
+    var addEventListener = document.addEventListener.bind(document);
+    var removeEventListener = document.removeEventListener.bind(document);
+    var dispatchEvent = document.dispatchEvent.bind(document);
+    var CustomEvent = window.CustomEvent;
+
+    function checkRequest(url, callback)
+    {
       var incomingEventName = eventName + "-" + url;
       function listener(event)
       {
-        if (event.detail)
-          websocket.close();

[Sebastian Noack, 2016/06/28 16:17:51]

As Lain pointed out, this approach allows WebSockets to be opened, sending and
potentially even retrieving data until we get an asynchronous response from the
background page. So we should rather defer opening the WebSocket until we got a
response from the background page.

[kzar, 2016/06/28 16:32:40]

I actually tested this with WireShark and I found no requests made it out before
the WebSocket was closed. (Not even the initial HTTP request that requested the
upgrade to the WebSocket protocol!)

I concede that the initial HTTP request might sometimes be sent, but rewriting
the wrapper to defer all method calls, adding/removing of event listeners and
property assignments assignments until after the block/allow result has been
asynchronously returned is no simple matter, is it really worth it?!

[Sebastian Noack, 2016/06/28 17:04:58]

I have two concerns here:

1. It might be a potential timing issue, i.e. depend on how fast the response
arrives.
2. It might be an implementation detail that is matter to change or differ
accross platforms.

[kzar, 2016/06/29 13:40:31]

OK, done.

-
-        document.removeEventListener(incomingEventName, listener);
-      }
-      document.addEventListener(incomingEventName, listener);
-
-      document.dispatchEvent(new CustomEvent(eventName, {
-        detail: {url: url, protocol: protocol}
+        callback(event.detail);
+        removeEventListener(incomingEventName, listener);
+      }
+      addEventListener(incomingEventName, listener);
+
+      dispatchEvent(new CustomEvent(eventName, {
+        detail: {url: url}
       }));
-    };
-    WebSocket.prototype = Object.create(window.EventTarget.prototype, readyStates);
-    Object.defineProperties(WebSocket, readyStates);
-
-    var script = document.currentScript;
-    script.parentNode.removeChild(script);
-  }
-
-  var script = document.createElement("script");
-  script.textContent = "(" + wrapper.toString() + ")(\"" + eventName + "\");";

[Sebastian Noack, 2016/06/28 16:17:51]

Ideally, we inject only one script. Note that we already inject a script to
prevent the DOM API from messing with our stylesheet. So mind merging those
scripts?

[kzar, 2016/06/29 13:40:30]

Done.

-  document.documentElement.appendChild(script);
+    }
+
+    WebSocket = function WrappedWebSocket(url, protocols)
+    {
+      // Throw correct exceptions if the constructor is used improperly.
+      if (!(this instanceof WrappedWebSocket)) return RealWebSocket();
+      if (arguments.length < 1) return new RealWebSocket();
+
+      var websocket = new RealWebSocket(url, protocols);
+
+      checkRequest(websocket.url, function(blocked)
+      {
+        if (blocked)
+          closeWebSocket(websocket);
+      });
+
+      return websocket;
+    }.bind();
+
+    Object.defineProperties(WebSocket, {
+      CONNECTING: {value: RealWebSocket.CONNECTING, enumerable: true},
+      OPEN: {value: RealWebSocket.OPEN, enumerable: true},
+      CLOSING: {value: RealWebSocket.CLOSING, enumerable: true},
+      CLOSED: {value: RealWebSocket.CLOSED, enumerable: true},
+      prototype: {value: RealWebSocket.prototype}
+    });
+
+    RealWebSocket.prototype.constructor = WebSocket;
+  }, eventName);
 }
 
 function init(document)
 {
   var shadow = null;
   var style = null;
   var observer = null;
   var tracer = null;
 
   wrapWebSocket();
@@ skipping 161 matching lines @@
   }, true);
 
   return updateStylesheet;
 }
 
 if (document instanceof HTMLDocument)
 {
   checkSitekey();
   window.updateStylesheet = init(document);
 }